File name:	A653D1951B3DE7E0EDE77758187763B0.exe
Full analysis:	https://app.any.run/tasks/dc9163c9-4a91-46ab-bb62-897b37d3d867
Verdict:	Malicious activity
Threats:	NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	March 25, 2025, 04:02:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	github nanocore rat remote
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	A653D1951B3DE7E0EDE77758187763B0
SHA1:	06DF3427AA544488543152111F5C5CFC52D41463
SHA256:	21F3851DF5C3487B850C88275818072EB000857423F72608B0708B53BB3BBF64
SSDEEP:	98304:I6bXDBsQZa9fvSrpBZuYAtmN+KQ9QiD5AeT8WJz+jyaKaFE5FUgNWz+0LEmc3UOC:L0IY

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:03:11 20:37:02+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	3130368
InitializedDataSize:	7680
UninitializedDataSize:	-
EntryPoint:	0x2fe23e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileDescription:
FileVersion:	1.0.0.0
InternalName:	R00tkit.exe
LegalCopyright:
OriginalFileName:	R00tkit.exe
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0


(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(4976) Blandly Rootkit.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Blandly Rootkit_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

PID	Process	Filename		Type
4776	A653D1951B3DE7E0EDE77758187763B0.exe	C:\Users\admin\AppData\Local\Temp\3377.exe		executable
		MD5:0E013A4DB9F8352623A4EAA401D1911D	SHA256:0AFBFA4A8F94EF9204F6E19B8E65BB68A74795745F2D8C996AFFFAA44F4A2908
4244	ksmj.ddns.net.exe	C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\run.dat		text
		MD5:7D4C2D3BDCF96E9F365D44A61E458C58	SHA256:FA740301C16E9A3E5E2244D72EEA41E8B93233B29A18498DA75751C8D16539BE
4776	A653D1951B3DE7E0EDE77758187763B0.exe	C:\Users\admin\AppData\Local\Temp\ksmj.ddns.net.exe		executable
		MD5:E2557F03A5D4DE545313BA77DE25139E	SHA256:CFD8EE211B76DB67B79ED33DDCE0BC60EC697E8E1E1162A02543188587760B56
4776	A653D1951B3DE7E0EDE77758187763B0.exe	C:\Users\admin\AppData\Local\Temp\R00tkit Blandly.exe		executable
		MD5:B66E88BA098DA4D287B2DD99F69D14EF	SHA256:105FEE6FB5D6119C586844D5B7CEAA27B86C8ACE1B8C2C30EAEA51EB55C7B115
4976	Blandly Rootkit.exe	C:\Users\admin\AppData\Local\Temp\bin\latestversion		text
		MD5:F619991470DF8B3A8AD907BE8BC5FBD4	SHA256:7F98E71C92F0055050A542C8A53E348320C6812CBFE33C12C53C1B153080A2B8
6744	R00tkit Blandly.exe	C:\Users\admin\AppData\Local\Temp\Blandly Rootkit.exe		executable
		MD5:302E8CD3926E071313C59CB2AD1D1D79	SHA256:984360F867C1891F7EA6293AC2F72907321D1BCC4E68184327DAD522744C97A5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
5304	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	GET	200	140.82.121.4:443	https://raw.githubusercontent.com/C5Hackr/Phantom/main/version	unknown	text	7 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	unknown
2104	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5304	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	unknown
2104	svchost.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
5304	RUXIMICS.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
4976	Blandly Rootkit.exe	185.199.111.133:443	raw.githubusercontent.com	FASTLY	US	unknown
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6620	3377.exe	169.150.202.83:5552	ksmj.ddns.net	Datacamp Limited	IL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	unknown
google.com	216.58.206.78	unknown
crl.microsoft.com	23.53.40.176 23.53.40.178	unknown
ksmj.ddns.net	169.150.202.83	unknown
raw.githubusercontent.com	185.199.111.133 185.199.109.133 185.199.110.133 185.199.108.133	unknown
activation-v2.sls.microsoft.com	40.91.76.224	unknown

PID	Process	Class	Message
6620	3377.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
6620	3377.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
4244	ksmj.ddns.net.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
4244	ksmj.ddns.net.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
4244	ksmj.ddns.net.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
4244	ksmj.ddns.net.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
4244	ksmj.ddns.net.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
4244	ksmj.ddns.net.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
4244	ksmj.ddns.net.exe	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net

General Info

A653D1951B3DE7E0EDE77758187763B0.exe

A653D1951B3DE7E0EDE77758187763B0

06DF3427AA544488543152111F5C5CFC52D41463

21F3851DF5C3487B850C88275818072EB000857423F72608B0708B53BB3BBF64

98304:I6bXDBsQZa9fvSrpBZuYAtmN+KQ9QiD5AeT8WJz+jyaKaFE5FUgNWz+0LEmc3UOC:L0IY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

NANOCORE has been detected (SURICATA)

NANOCORE has been detected (YARA)

Connects to the CnC server

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Process checks whether UAC notifications are on

Creates files or folders in the user directory

Reads Environment values

Disables trace logs

Checks proxy server information

Reads the software policy settings

Malware configuration

Nanocore

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

Nanocore

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Nanocore

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings